Skip to content

Commit

Permalink
Merge pull request #877 from spencerhance/ilb-https-check-config
Browse files Browse the repository at this point in the history
Check for invalid L7-ILB HTTPS configuration
  • Loading branch information
k8s-ci-robot authored Oct 25, 2019
2 parents 3add0a3 + c07353a commit 76a509c
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 1 deletion.
9 changes: 8 additions & 1 deletion pkg/loadbalancers/l7.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package loadbalancers
import (
"encoding/json"
"fmt"
"k8s.io/ingress-gce/pkg/flags"
"strings"

"github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud/meta"
Expand Down Expand Up @@ -154,6 +155,13 @@ func (l *L7) edgeHop() error {
// Keeps track if we will "try" to setup frontend resources based on user configuration.
// If user configuration dictates we do not, then we emit an event.
willConfigureFrontend := false
sslConfigured := l.runtimeInfo.TLS != nil || l.runtimeInfo.TLSName != ""

// Check for invalid L7-ILB HTTPS config before attempting sync
if flags.F.EnableL7Ilb && utils.IsGCEL7ILBIngress(l.runtimeInfo.Ingress) && sslConfigured && l.runtimeInfo.AllowHTTP {
l.recorder.Eventf(l.runtimeInfo.Ingress, corev1.EventTypeWarning, "WillNotConfigureFrontend", "gce-internal Ingress class does not currently support both HTTP and HTTPS served on the same IP (kubernetes.io/ingress.allow-http must be false when using HTTPS).")
return fmt.Errorf("error invalid internal ingress https config")
}

if err := l.ensureComputeURLMap(); err != nil {
return err
Expand All @@ -165,7 +173,6 @@ func (l *L7) edgeHop() error {
}
}
// Defer promoting an ephemeral to a static IP until it's really needed.
sslConfigured := l.runtimeInfo.TLS != nil || l.runtimeInfo.TLSName != ""
if l.runtimeInfo.AllowHTTP && sslConfigured {
klog.V(3).Infof("checking static ip for %v", l)
if err := l.checkStaticIP(); err != nil {
Expand Down
20 changes: 20 additions & 0 deletions pkg/loadbalancers/loadbalancers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,26 @@ func TestCreateHTTPSILBLoadBalancer(t *testing.T) {
verifyHTTPSForwardingRuleAndProxyLinks(t, j, l7)
}

// Test case with HTTPS ILB Load balancer and AllowHttp set to true (not currently supported)
// Ensure should throw an error
func TestCreateHTTPSILBLoadBalancerAllowHTTP(t *testing.T) {
j := newTestJig(t)

gceUrlMap := utils.NewGCEURLMap()
gceUrlMap.DefaultBackend = &utils.ServicePort{NodePort: 31234, BackendNamer: j.namer}
gceUrlMap.PutPathRulesForHost("bar.example.com", []utils.PathRule{{Path: "/bar", Backend: utils.ServicePort{NodePort: 30000, BackendNamer: j.namer}}})
lbInfo := &L7RuntimeInfo{
AllowHTTP: true,
TLS: []*TLSCerts{createCert("key", "cert", "name")},
UrlMap: gceUrlMap,
Ingress: newILBIngress(),
}

if _, err := j.pool.Ensure(lbInfo); err == nil {
t.Fatalf("j.pool.Ensure(%v) = nil, want err", lbInfo)
}
}

func TestCreateHTTPSLoadBalancer(t *testing.T) {
// This should NOT create the forwarding rule and target proxy
// associated with the HTTP branch of this loadbalancer.
Expand Down

0 comments on commit 76a509c

Please sign in to comment.